 O'r next speaker is Dr Philip Flaviga, who is a global pharmacy councillor for cure technologies. And as you probably know, he is a very important global player in mapping data. And it is going to be very useful to get that global perspective on an issue that on the face of it seems to be about the European Union, but really it is about so much more. Yn y gwneud, dyma'r cael cyfnodau ar gyfer y cyfan yng Nghymru. Mae'n ymdegwyd cyfan ymdegwyd. Mae'n ddau'r cyfan, fel y ddau'r cyfan yma, fel ddau'r Cyfan, mae'n ddau'r cyfan, fel y ddau'r Cyfan, fel ddau'r cyfan, fel y ddau'r cyfan, neu Dymredu y Caerdydd Cymraegedsod, a'u ddiogel i ddim yn ddiogel i'r cyfeinsig ddweud y cyfeinsig i ddim yn ddiogel i ddim parwysigaf, oedd cwelio eitemrat a'u drafn y byddai eitemwyd. Rydym yn y dyfodol yn y ddysgol, mae'r or engine yn y dyfodol. ac mae'r cyfnodol yn iechyd iawn i'w meddwl y clywed y Cymru, a'r Llyfrgell Fylltafol, yn ychydig iawn i gydag unig y maen nhw gael cerddurau atonol. Roedd yna yma yn unrhyw o'r ffordd, mae yna'r unrhyw o'r cyfrifwyr yn ein gynhyrch, yn gweithio'r cyrrafi yma, ac mae'n cyfrifwyr i'i haf o Gymru, o'r hollu, o'r hollu, o'r hollu, o'r hollu. Mae'n meddwl yn Yngrifennu Europea, sy'n meddwl i'r union yng Nghymru, sy'n meddwl o'r hollu 8000 o'r unrhyw yn 56 o'r hollu o'r hollu yng Nghymru. Mae'n meddwl yn y ddedigol. Yn mynd, mae'n meddwl, sy'n meddwl i GDR i gyd yn gŵr, i gyd yn y ddedigol. Mae'n meddwl i gyd yn meddwl i GDR, ac yn y dywed, mae'n meddwl i'r meddwl i'r meddwl o'r hollu chipau ar y gwblig, ac i chi'n meddwl i'r meddwl o'r hollu GDR i'r meddwl i'r meddwl i'r meddwl. Mae'n meddwl i'r meddwl i'r meddwl i GDR ond byddwn yn ffordd maen i'r ymgyrch. Felly byddwn yn eich bod yn fwyaf a'r byd yn gweithio'r cymorth. Felly, gyda'n mynd i'n fwyaf, sydd ymwneud yma yma, yma'r GDPR yma'r dyma'r gwahanol, yna'r ffordd o'r argynnydd, yna'r cyllid yma. A'r ydych chi'n meddwl yma'r GDPR a'r ysgrifennu gyda'r cyfaint o'r pryd yma, o gyffrwyd, cyfnodwch, mae'r cyfnodd gafbwysig o heddiw i'r gafbwysig, ddod o'r gyffrwyd yn cael eu bod yn cyfnodd gafbwysig, mae'r cyfnodd o'r cyfnodd gafbwysig o'r cyfnodd gyda'r gafbwysig i gefnogi ar y cyfnodd gyffrwyd. Llyfr o'n gweithio, mae'n bwysig gyffrwyd yma, ac mae'n ddorol o'r ffordd y dyfodol yma sy'n That we secured the buy-in of our executive leaders because we soon understood, that, again, it's going to be huge and it's not only a project on the privacy functions side or on the compliance side, but we'll have to reach out to the entire organization because some of the requirements will fundamentally change the day to day business at the people who are far away from privacy topics in their carbon business. We secure executive buy in. We also pretty soon onboarded a full-time project manager to take care of all the project management work and the cross-functional interaction and communication. Mynd gofyn, bydd y cilwfon ar gyfer gyfer ymgyrch yn 15 ysgol yn ei wych. Mae'r cilwfon wedi'i gondwy ar hyn yn ei gynnig yma. Mae'r pethau o'r mining a'r masgau cyhoedd, yn llwyddiogel, mae dda, mae'n dweud cynghwylliant i ddau gyfeirahol, a'r ddeiniol o'r sgolio llwyddiol sy'n cael ei unrhyw, sy'n ganwyd â oedd yn cael ei gyddion gyfioedd gynhwys, a leader ddaeth. But also, obviously, if we have other works to identified, data breach management, data protection impact assessment, documentation requirements, the contract site, sourcing agreements and business commitments, HR and a few others. We've nominated people throughout the organisation to support our project and at the moment we have a very, I think a key working group with five subject matter experts and in addition more than 40 people from all various business units and support functions working on the project and supporting this. Let me give you a few examples. So I'd like to talk about, for instance, data breach management, about data protection impact assessments and also the contract side. Data breach management, I think one of the big accomplishments of the GDPR is very strict requirements for data breach notifications. On the other hand, from a business perspective, it's a significant challenge to comply with a 72-hour deadline, right? And therefore we really fundamentally reviewed our whole process to make sure that the process can run as smooth and efficient as possible to make sure we have a chance to comply with a 72-hour deadline. Actually, recently I had a discussion with the head of research at the International Association of Privacy Professionals and she also asked me what you do with data breach management and she told me about basically the feedback from many, many other companies. And basically all the other companies, or many other companies reported well, we have retained a law firm and we've also retained a forensic company to take care of the forensic investigation in case of an incident that could lead to a data breach. And she asked me, do you have the same approach? And I was pretty surprised, right? Because, as I said, our key driver was the 72-hour deadline and the best efficiency throughout our whole breach process. And no, we have a totally different approach. We have made sure that we are able to run the entire process internally to make sure that we can perform the most efficient, most effective process there, right? That means our first line of defence that starts with very robust security protections on the network side, right? As a next step, also very important because that is the moment when you actually get aware of an incident that could easily lead to or turn out to be a data breach is the network monitoring, right? That means we have implemented various layers of capable network monitoring tools to provide us with the first flag to trigger the breach management process in case there is an incident. Then we've made sure that we have the resources onboard to run the forensic process fully internally. That means we do not have to waste time onboarding external forensic firms, making them familiar with our networks, providing them with access, getting in the ace of plays and everything, right? So, but we have all the resources throughout various time zones internally established. The same is true for the legal side. We also are able to do the entire legal analysis of data breaches internally and we have created a policy for data breach management dependent on the criticality of the potential breach that involves various other... parts of the organization, including executives, including comms, including HR, including technical teams, including legal and also on the forensic and security side. And with that, we also run some dry runs, we believe, and we also iterated and changed the process in cases where we found out that there is room for improvement. We believe that we are in a good shape to efficiently manage potential data breaches and respond to them in the very, very tight deadline. That is one example. And actually, I also had very interesting discussions recently because the data breach notification rule in the GDPR, I think it's a fair statement to say it was inspired by breach laws in the United States, right? However, some severe data or a series of severe data breaches in the US in the past months led also to a different thought process over there, right? Because they are very strong breach laws in place on the state level, but they don't have something comparable to the GDPR on the federal level, right? There is no comprehensive data privacy law in place, and this leads to challenging situations also for global companies, right? In case where there is a potential breach, then this might easily not only affect the European Union or member states within the European Union, but a number of other countries throughout the globe. And then the US is particularly difficult to see what are the different and partly very different requirements for data breach notifications on state level. Right now, they are considering a similar approach like the GDPR for this very topic, data breach notification, to make sure that there is a new standard available, right? And that companies don't have to dive into all the various state laws to, at the end of the day, better protect citizens and consumers. And I think that's actually very interesting. However, they don't want to implement something like the 72 hours deadline. That's another topic. My next topic is data protection impact assessment. I really like data protection impact assessments. Why? The reason is in the past, as already said, privacy was often perceived as a topic for the privacy team, right? Sitting over there in the ivory tower and taking care of privacy topics. But the data protection impact assessments really move the needle from within an organization from the privacy function to the business, right? Because the privacy function can support data protection impact assessments. And we provide a template. We make sure that we integrate the processes with our systems with risk management tools in our company and so on. But in the end of the day, the actual assessment needs to be performed in the business, right? It means today people like software developers, software engineers, product managers and so on have to think about privacy day and day and day. And that's actually a very good change in my opinion, right? Because with that, this easily leads to a change of the DNA and the mindset throughout the company. And that's in my opinion a very good achievement asset. What we've implemented is we've separated two things. One is the so-called threshold analysis, which is the first step for data protection impact assessments to find out if a certain use case would lead to a high risk. The high risk would be the trigger for conducting the actual data protection impact assessments. And right now, our business teams are very busy conducting these threshold analysis and also the data protection impact assessments in cases where they are required. My third topic are data processing agreements, which is also for many colleagues in other European countries a game changer, right? Because, let's say, the requirements for data processing agreements in GDPR are pretty close to the requirements that we already knew in the Federal Data Protection Act here in Germany. But to many colleagues in other European countries, those requirements went way beyond what they had so far in their national data protection laws. So that was interesting for us and this was also the reason why we started drafting new GDPR-compliant data processing agreements already a year ago. We've implemented them in our processes on the procurement side, but also on the business model side we needed last year in April, which led partly to interesting conversations because many other companies were not even aware of the GDPR or said, oh, yeah, we have to think about it, please come back to us in December or whatever. So that was also very interesting. My recommendation generally for smaller businesses is if you have not already started, your GDPR preparations starts more about start right away. And you should also make sure that you assign responsibilities because you cannot take care of everything on your own. You have to make sure that your business teams support your GDPR readiness activities and therefore you have to assign responsibilities to make sure you get the process going. Another topic that is close to my heart actually is the ePrize regulation and I would like to give you two use cases. The first use case is it's 3am in the morning I'm sleeping and my fridge is very smart and knows that I want to have milk in the morning on breakfast. But unfortunately I'm running out of milk, there is no milk in the fridge. Therefore the fridge makes sure that it reaches out to an online vendor and orders milk for me and the milk will be delivered by a drone and a parcel on my balcony. While I'm sleeping it means in the morning I get up and I'm very happy because I have my milk in the fridge. This is one use case and we are actually working on topics such as drones and drone deliveries, drone litigation and so on. The topic is close to our business and it is a good example to test actually where we are with privacy law and what we have to accomplish in the future. Because if you think about the process that is required, the communication that is required to enable this convenient service for me, then it certainly involves information that may not be considered as personal data, a ton of information that is clearly personal data and I'm sleeping. I'm not involved in this communication. Machines are communicating on behalf of me hopefully in my best interest and that is one use case. My second use case is I'm sitting in a highly automated vehicle that means a vehicle without a steering wheel and the passenger. I'm reading a book or I'm making a phone call or I run some searches on the internet and the vehicle is driving me from A to B while driving from A to B. I mean the vehicle has no steering wheel so who is the driver of the vehicle, data is the driver of the vehicle to make sure the vehicle can navigate safely from A to B. It has to communicate with various other partners, be it other vehicles for safety reasons and the close vicinity, be it pieces of the interest culture, road signs, billboards, be it third parties to provide navigation services or also for convenience purposes. Ideally, I as a passenger, I want to have the most seamless user experience, I want to read my book, I don't want to be disturbed. That's another use case where we also have to be mindful about it when we are discussing GDPR, legal basis, machine to machine communication that we allow such use cases. I'm looking forward to this company starting soon.